Table of Contents |
---|
Status
Current state: "Draft"
Discussion thread: here
...
Please keep the discussion on the mailing list rather than commenting on the wiki (wiki discussions get unwieldy fast).
Motivation
Note: The discussion in this KIP applies to Java based (new) consumer only as the old consumer does not have the security feature.
...
If we make the change suggested below, the command runs successfully and reports the group offsets.
Proposed Changes
The change proposed by this KIP is very simple: to lower the minimum required permission of the OffsetFetch
API from Read to Describe. These minimum required permissions are hard-coded in kafka.server.KafkaApis.scala
inside each API handler method. For example, the part that enforces the minimum required permission for the OffsetFetch
API currently looks like this:
...
Code Block | ||
---|---|---|
| ||
if (!authorize(request.session, Describe, new Resource(Group, offsetFetchRequest.groupId))) offsetFetchRequest.getErrorResponse(requestThrottleMs, Errors.GROUP_AUTHORIZATION_FAILED) |
Additional Food for Thought
As I was experimenting with the ACLs for this KIP I made some observations that made me wonder about the rationale behind their current ACL settings; and whether they need adjustments too:
...
In general, As a result of this change, Kafka admins may need to revisit the relevant ACLs and update them if necessary.
Rejected Alternatives